Is “Malware of Mass Disruption” the WMD of the future? Insights from the stage at RSA 2018

One might wonder why one of the final mainstage presentations at RSA 2018 had “Weapons of Mass Destruction” (WMDs) in its title? When ESET Global Security Evangelist Tony Anscombe finished with his presentation, however, no one was asking that question; instead what emerged was a better understanding of how the evolution of malware has led us to the digital weaponry of today and tomorrow.

The central question of Anscombe’s presentation was: Can malware be used as a weapon of mass destruction? He contends that it can and notes that we are at a tipping point where malware evolution has led us to the latest development in cyberweapons; this is what Anscombe coins “Malware of Mass Disruption.” He defines this as the following:

Any malware that targets infrastructure and thus could damage or disable services and could potentially cause death or serious bodily injury

Any malware designed to inhibit first responders or emergency response from providing lifesaving treatment

Any malware that targets health care or medical devices and could potentially cause death or serious bodily injury

Any software that is intended to damage or disable medical systems or devices

Over the years, we have had some close calls that give a glimpse into the effect digital weapons can have. In 2017, the United Kingdom’s National Health Service (NHS) was a major victim of the WannaCryptor (aka WannaCry, WCrypt) attack [ESET detects this as Win32/Filecoder.WannaCryptor.C, or less formally as “WannaCryptor.C” — Ed.]. According to a government report, at least 6,912 NHS appointments were canceled, with estimates that the total may be as high as 19,000. These numbers only reflect NHS hospital appointments – the impact on local physician visits is unknown. Within this number are 139 urgent referrals of patients who potentially have cancer.

It would not be unreasonable to consider a malware attack a ‘weapon’ when it does in fact affect the urgent health care of patients. If the WMD definition and title were adjusted to become Malware of Mass Disruption, then the WannaCryptor attacks would certainly be categorized this way.

Perhaps one of the most notorious attacks to cause disruption to society on a large scale was the 2015 malware known as BlackEnergy, which caused power outages in Ukraine, impacting 225,000 customers for up to six hours. The malicious actors responsible attacked three regional electric power distribution companies with synchronized and coordinated attacks within 30 minutes of each other and impacted multiple central and regional facilities.

And that was only the beginning. In 2016, a new attack, later attributed to malware dubbed Industroyer, deprived the capital city of Ukraine, Kiev, of power for approximately one hour. This attack differed significantly from BlackEnergy as it targeted Industrial Control Systems (ICS). By exploiting weaknesses in the software of the ICS devices, the attackers were able to control electricity substation switches and circuit breakers directly, ultimately controlling the delivery of power.

The critical infrastructure of a city might just be the crown jewel to a nation-state actor. Attacking the power infrastructure of a city, country or even a building has the potential to cause huge disruption, and, depending on the circumstances, endanger life. Imagine if an intensive care unit of a hospital lost power; the outcome could be fatal. While this is a hypothetical scenario, it may not be far from reality – if a cybercriminal can switch off the power to a city, they probably have the ability to switch off the supply to a building and, with the right resources, change the way any backup systems may operate.

“Using the word ‘weapon’ in association with malware may be a step too far for some people,” noted Anscombe. But he points out an important malware history lesson, bringing attention to the first major attack against infrastructure, dubbed Stuxnet. “This showed, really for the first time, that a nation state could actually attack the infrastructure of another nation state by using malware as the tool or weapon,” he said.

Since prominent infrastructure attacks like Stuxnet, various examples point to a conclusion that malware has the potential to “be a weapon in the arsenal of any government or organization that wants to inflict damage or disruption on another person, organization or country – or the world as a whole,” he pointed out.

From notorious attacks like WannaCryptor, to aggressive blackouts caused by BlackEnergy and Industroyer, to attacks that potentially affect election outcomes, the reality exists that the bad actors creating and utilizing malware are disrupting our sense of safety, security and democracy.

“I will leave you to decide whether to call these weapons,” he concluded.